Chicago School of Cybersecurity: How the NIST Cybersecurity Framework Can Apply to All IT Organizations (Part 1)

By: Dwight Koop, COO at Cohesive Networks

Lately I’ve been spending hours going through the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Unlike the millions of other standards out there, the NIST Framework combines the best of existing rules, assessments, regulations and guidelines into a unifying cybersecurity reference guide.

While it’s created for critical infrastructure — banking, transportation, oil and gas, defense, and so on — the standard is applicable to most organizations. The NIST Framework is easy to apply, once you dig through it.

I’ve also been thinking about the Chicago School lately, particularly in architecture. Chicago School architecture is not a hard and fast set of design rules, but a style. In the built world, Chicago School architects were some the first to use new technologies like steel frame construction, use less exterior ornamentation, and design the “Chicago window” to let in more light and ventilation.

So in my Chicago school of cybersecurity, I look at the NIST Framework to embrace new technologies without frills and shed light on how the Framework can help your organization.

The Rookery Building, designed by Chicago School architects John Wellborn Root and Daniel Burnham (Burnham and Root), mixes the traditional architecture styles with newer construction techniques. The building is considered the oldest standing high-rise in Chicago, and the lobby was remodeled in 1905 by Frank Lloyd Wright. Image via WikiMedia Commons.

Before the NIST Framework — the fog of more

There are literally thousands of documented standards that cover topics from accounting to family privacy rights, from health records to electricity grid control cybersecurity risks. All these standards and protections essentially do the same thing. Imagine reading through the Health Insurance Portability and Accountability Act (or HIPAA to most), but replace any mention of “electronic health record” with “credit card information” and you might suddenly be reading the Payment Card Industry Data Security Standard (PCI DSS).

The Big 10 of the pre-NIST Cybersecurity standards should read like a familiar alphabet soup: CERT, COBIT, CSA, CSET, ISO, NIST 800, PCI, and so on. Working in security for regulated industries brings some familiarity with these rules and governing bodies. One of my favorite lines from my NIST reading was the description of pre-NIST standards as “the fog of more.”

Pre-NIST standards offer competing priorities, opinions, and processes. Each one has its own pay-to-play certifications, software tools, vendor benchmarks, and all the trappings of a stodgy cybersecurity officiousness. So why create a new standard for all critical infrastructure while all of these standards exist?

A history — why we needed yet another standard

Executive Order 13636, which tasks the Department of Homeland Security (DHS) with consolidating cybersecurity guidelines, encouraging private sector feedback, and NIST Framework adoption. Image via WhiteHouse.gov

Presidential Executive Order (EO) 13636 kicked off the process of creating the NIST Cybersecurity Framework in 2013. The signed order called for improved cybersecurity for the nation’s critical infrastructure. The order also specified that the Department of Homeland Security (DHS) would consolidate its authority over security while very actively involving private sector subject-matter experts and private companies to develop the Framework.

The NIST Framework ratifies the move from traditional audit-focused policies toward a more risk-based approach. The traditional procedures focused on audits, compliance objectives, policies, and transactions. Now, a risk-based approach of cybersecurity focuses on the business and customer, emphasizes risk management over compliance tracking, and incorporates diverse knowledge and experiences.

Part of the Executive Order’s mandate to organize and coordinate the Framework is that DHS must increase information sharing, protect privacy and civil liberties, identify the greatest risks, and of course outline the needs for additional government funded research. Knowing the shift toward risk-based standards, the NIST group brought in private sector consultants and experts, per the Executive Order. And fittingly, the politics of the Order and NIST Framework made sure to write in that the Framework should have voluntary adoption with incentives, or as we in the real world call them regulations, but I digress…

Why the NIST Cybersecurity Framework works

I believe the NIST Framework is an important advance in improving our cybersecurity. Why? While it is yet another, redundant standard it is a unifying single document. It is sponsored through DHS’s mandate, and combines the authority of hundreds of U.S. governmental agencies and regulatory authorities. The Framework is a process for enterprises to begin or update their risk-management approach to their defense in depth.

A glimpse of the NIST Framework Core, which categorizes other compliance and regulatory standards into Functions, Categories and Subcategories, via NIST.gov

So, no the NIST Framework is not a technical in-depth solution to the cybersecurity mess. It does cover a wide range of industries and potential risks. The Framework is not designed for small businesses, but massive critical infrastructure firms like nuclear facilities, the global banks, and defense manufacturers. I believe any organization can use the Framework as a jumping off point to establish a unique internal cybersecurity standard.

Check out the slides from my presentation to the US Secret Service Electronic and Financial Crimes Task Force in Chicago:

Subscribe to the Cybersecurity War Stories publication on Medium to get more from me and other IT security professionals in the trenches.